1 00:00:09,460 --> 00:00:15,340 everyone, I think, knows ATMs, used ATMs 2 00:00:15,340 --> 00:00:20,180 and our security researchers there 3 00:00:20,180 --> 00:00:28,700 have something very interesting to tell us about electronic bank robberies 4 00:00:28,700 --> 00:00:39,634 and because them, please welcome our two security researchers with a very warm applause 5 00:00:46,820 --> 00:00:48,100 tw: are we on? 6 00:00:48,100 --> 00:00:49,099 okay, well 7 00:00:49,114 --> 00:00:51,540 welcome to our little talk here 8 00:00:51,540 --> 00:00:54,100 and thanks for the introduction 9 00:00:54,100 --> 00:00:58,140 as the angel said, I guess everybody knows what an ATM is 10 00:00:58,140 --> 00:01:02,600 it's basically used by people to dispense money from their accounts 11 00:01:02,600 --> 00:01:06,180 either because they live in countries like this one 12 00:01:06,180 --> 00:01:09,260 where you really don't use credit cards to pay 13 00:01:09,260 --> 00:01:13,940 or because you don't wanna be tracked, right? 14 00:01:13,940 --> 00:01:19,600 we're gonna tell a little war story here 15 00:01:19,600 --> 00:01:22,459 and that's a case of ATM hacking 16 00:01:22,459 --> 00:01:26,980 a real world incident that occured this year 17 00:01:26,980 --> 00:01:29,620 and you wanna remember this number here 18 00:01:29,620 --> 00:01:35,420 because that's how you enable the hacked system 19 00:01:35,420 --> 00:01:37,460 in case it's infected 20 00:01:37,460 --> 00:01:41,380 and I'm gonna hand over to my co-speaker here 21 00:01:41,380 --> 00:01:44,740 to tell you about the first few things here 22 00:01:44,740 --> 00:01:48,700 sb: yeah, okay, so let's just have a quick look 23 00:01:48,700 --> 00:01:51,500 what do we have in a cash machine 24 00:01:51,500 --> 00:01:54,100 so of course we have a safe 25 00:01:54,100 --> 00:01:55,939 that's where we want to get in 26 00:01:55,939 --> 00:01:57,980 there's the money, we want to spend 27 00:01:57,980 --> 00:02:00,980 so of course we have a normal computer 28 00:02:00,980 --> 00:02:02,900 it's like a desktop computer 29 00:02:02,900 --> 00:02:06,380 mostly it's running a normal operating system 30 00:02:06,380 --> 00:02:08,779 most likely it's Windows XP 31 00:02:08,779 --> 00:02:16,504 and with just a few different manufacturers that build the teller machines 32 00:02:16,504 --> 00:02:19,214 and, yes 33 00:02:19,214 --> 00:02:22,420 we as user, we use a common user interface 34 00:02:22,420 --> 00:02:25,700 it's just a screen - most likely it's a touchscreen 35 00:02:25,700 --> 00:02:28,300 or we have then the EPP number pads 36 00:02:28,300 --> 00:02:32,140 where we put the PIN number for our card 37 00:02:32,140 --> 00:02:34,220 tw: one thing I would like to add to this slide 38 00:02:34,220 --> 00:02:37,140 you see the picture on the right hand side 39 00:02:37,140 --> 00:02:41,780 that's a photo we took yesterday when we arived here at Hamburg main station 40 00:02:41,780 --> 00:02:46,780 and it's interesting, because this is the state hacked ATMs are usually in 41 00:02:46,780 --> 00:02:49,620 befor the bad guys go there and cash out 42 00:02:49,620 --> 00:02:55,500 I don't know - maybe this one is infected, too 43 00:02:55,500 --> 00:03:00,260 sb: this is not the first ATM hacking, of course 44 00:03:00,260 --> 00:03:08,420 the most famous one was from Barnaby at the Black Hat in 2010 45 00:03:08,420 --> 00:03:12,340 you see in the screenshot here 46 00:03:12,340 --> 00:03:15,340 this was the user interface of his malware 47 00:03:15,340 --> 00:03:20,740 so from the functionality it's quite alike 48 00:03:20,740 --> 00:03:24,500 but not as nice 49 00:03:24,500 --> 00:03:32,420 tw: has anybody in the room looked at this Ploutus thing by any chance? 50 00:03:32,420 --> 00:03:34,860 no... 51 00:03:34,860 --> 00:03:41,500 sb: okay, so of course we have a lot of POS malware 52 00:03:41,500 --> 00:03:43,620 from mobile terminals 53 00:03:43,620 --> 00:03:46,540 to steal just sensitive information 54 00:03:46,540 --> 00:03:49,820 like the credit card data or paymant data or something 55 00:03:49,820 --> 00:03:54,220 and the most famous ones this year even was the Ploutus malware 56 00:03:54,220 --> 00:03:57,260 probably you've heard about it - quite famous 57 00:03:57,260 --> 00:04:01,180 we had a quick look at Ploutus, too 58 00:04:01,180 --> 00:04:03,140 it was written in .NET 59 00:04:03,140 --> 00:04:06,500 from the functionality it's similar or the same 60 00:04:06,500 --> 00:04:14,660 but not as advanced 61 00:04:14,660 --> 00:04:19,380 why are we standing here and talking about this case? 62 00:04:19,380 --> 00:04:22,460 we had an incident 63 00:04:22,460 --> 00:04:27,200 a bank, they discovered, they had a lot of 64 00:04:27,200 --> 00:04:30,740 empty teller machines and they started to 65 00:04:30,740 --> 00:04:35,100 work in investigation for themselves 66 00:04:35,100 --> 00:04:40,420 just a little bit of forensics and it was just limited success 67 00:04:40,420 --> 00:04:45,820 but yeah, they had to do something about it and they tapped up surveillance 68 00:04:45,820 --> 00:04:50,180 and improved monitoring 69 00:04:50,180 --> 00:05:04,820 and they started to discover that the infection was conducted via an USB stick 70 00:05:04,820 --> 00:05:11,420 they get to mange to arrest the guy and to secure this USB stick 71 00:05:11,420 --> 00:05:16,980 and on the USB stick we found actually that malware and started to examine that 72 00:05:16,980 --> 00:05:19,260 tw: yeah so to re-address that, before we go on 73 00:05:19,260 --> 00:05:23,980 what they did was: they figured "okay there's something going on with our ATMs" 74 00:05:23,980 --> 00:05:28,180 and they improved their surveillance technology, if you will 75 00:05:28,180 --> 00:05:32,420 and then saw that guy trying to cash out from one of the hacked machines 76 00:05:32,420 --> 00:05:34,620 and then they went there, arrested the guy 77 00:05:34,620 --> 00:05:38,540 and confiscated the USB thumb drive that he was carrying 78 00:05:38,540 --> 00:05:43,600 and that's where we started our analysis 79 00:05:43,600 --> 00:05:49,940 right 80 00:05:49,940 --> 00:05:54,220 sb: they plugged in a USB stick 81 00:05:54,220 --> 00:05:59,140 they broke a small part of the chassis 82 00:05:59,140 --> 00:06:03,460 it's just PVC, so it's not hard to break that 83 00:06:03,460 --> 00:06:07,580 and they plugged in a USB device and forced the ATM to reboot 84 00:06:07,580 --> 00:06:10,260 so you can do that by cutting the power off 85 00:06:10,260 --> 00:06:15,260 or putting down the LAN interface or plug it out 86 00:06:15,260 --> 00:06:22,340 they forced the ATM to reboot and therefore to reboot from the USB device 87 00:06:22,340 --> 00:06:28,380 and what we found on the USB device was just a simple image of a Hiren boot CD 88 00:06:28,380 --> 00:06:30,540 everyone can just download that 89 00:06:30,540 --> 00:06:35,180 and within that Hiren boot CD it's just a mini XP running 90 00:06:35,180 --> 00:06:41,900 and you have a folder where you can just put customer executables 91 00:06:41,900 --> 00:06:48,460 that will automatically be started when the XP is booted 92 00:06:48,460 --> 00:06:53,820 within this customer section we just found our malware 93 00:06:53,820 --> 00:07:00,460 it was a batch that was called hack.bat 94 00:07:00,460 --> 00:07:02,380 just very nice 95 00:07:02,380 --> 00:07:07,620 so actually we thought that this is probably a fake 96 00:07:07,620 --> 00:07:11,460 because they just wanted us to examine the wrong file 97 00:07:11,460 --> 00:07:13,180 to save some time 98 00:07:13,180 --> 00:07:14,940 because it was just that obvious 99 00:07:14,940 --> 00:07:18,540 you will have a look at bat script afterwards 100 00:07:18,540 --> 00:07:21,100 so you can see what I mean 101 00:07:21,100 --> 00:07:23,260 so yes, it's just a mini-XP 102 00:07:23,260 --> 00:07:26,200 you have the hack.bat 103 00:07:26,200 --> 00:07:31,180 and this will actually start the real malware 104 00:07:31,180 --> 00:07:33,780 the so-called atm.exe 105 00:07:33,780 --> 00:07:43,380 and yeah... what we found then besides the bootable device on the stick were some very interesting files 106 00:07:43,380 --> 00:07:48,180 they were obviously copied from the infected ATM teller machines 107 00:07:48,180 --> 00:07:52,180 we can tell that, because there were three different ones that we found there 108 00:07:52,180 --> 00:07:58,500 and it was very interesting what kind of data were copied from the ATMs 109 00:07:58,500 --> 00:08:03,220 we found data like system data 110 00:08:03,220 --> 00:08:09,420 like for example the software hive key 111 00:08:09,420 --> 00:08:17,500 a lot of files that have cache data, credit card data, payment data, someting like that 112 00:08:17,500 --> 00:08:22,260 from each of the infected teller machines 113 00:08:22,260 --> 00:08:26,820 and of course we have our atm.exe 114 00:08:26,820 --> 00:08:28,860 that was really interesting 115 00:08:28,860 --> 00:08:36,300 and we take a quick look at the hack.bat script 116 00:08:36,300 --> 00:08:38,660 so you see, it's very user friendly 117 00:08:38,660 --> 00:08:44,460 because they implemented a lot of very interesting switches 118 00:08:44,460 --> 00:08:54,540 we see, right at the top, that he begins to copy the software hive key of the infected machines 119 00:08:54,540 --> 00:09:01,940 and at first he's checking if the system is already hacked or if he has to do it 120 00:09:01,940 --> 00:09:04,620 the switches you can see here 121 00:09:04,620 --> 00:09:09,140 they are all implemented 122 00:09:09,140 --> 00:09:12,600 the most used one is of course "-hack" 123 00:09:12,600 --> 00:09:16,620 we see otherwise, that you have some functionality like clear log files 124 00:09:16,620 --> 00:09:18,340 or get the log files 125 00:09:18,340 --> 00:09:24,540 this is the part where he copies really interesting data from the teller machines 126 00:09:24,540 --> 00:09:28,300 of course the question is: why does he do that? 127 00:09:28,300 --> 00:09:32,420 we answer that later 128 00:09:32,420 --> 00:09:39,980 it also has got a functionality on it that he can cover his tracks 129 00:09:39,980 --> 00:09:49,340 you can clear all files of the malware and remove it also 130 00:09:49,340 --> 00:09:54,700 a little bit more about the installer of the atm.exe 131 00:09:54,700 --> 00:09:55,940 tw: yeah, thanks 132 00:09:55,940 --> 00:09:57,780 I mean of course we were curious 133 00:09:57,780 --> 00:10:00,540 now that we know how the system gets infected 134 00:10:00,540 --> 00:10:05,600 insert the USB drive, force a reboot and then the batch script runs 135 00:10:05,600 --> 00:10:09,820 we were curious: how does the actual cash out process work? 136 00:10:09,820 --> 00:10:11,980 how do you get money out of the thing? 137 00:10:11,980 --> 00:10:13,740 what we did was 138 00:10:13,740 --> 00:10:16,499 we took this atm.exe file - the executable 139 00:10:16,499 --> 00:10:19,260 and reverse engineered that to recover the funtionality 140 00:10:19,260 --> 00:10:24,739 and the next couple of slides talk about what we found in this executable 141 00:10:24,739 --> 00:10:27,200 first of all 142 00:10:27,200 --> 00:10:30,780 the atm.exe is a UPX packed thing 143 00:10:30,780 --> 00:10:33,420 UPX is one of the standard packers 144 00:10:33,420 --> 00:10:38,140 you can easily unpack the original code again 145 00:10:38,140 --> 00:10:41,580 and then we came across an interesting fact 146 00:10:41,580 --> 00:10:44,900 so we unpacked it and loaded it up into our analysis tools 147 00:10:44,900 --> 00:10:46,940 what you can see on the right hand side 148 00:10:46,940 --> 00:10:49,660 it's a little bit blurred, but we hope you can still read it 149 00:10:49,660 --> 00:10:53,300 is IDA Pro, that probably many of you are familiar with 150 00:10:53,300 --> 00:10:56,820 one of the state-of-the-art disassemblers 151 00:10:56,820 --> 00:10:59,580 so we loaded that file up into IDA Pro, took a look at the code 152 00:10:59,580 --> 00:11:02,600 and then we discovered something interesting 153 00:11:02,600 --> 00:11:07,460 we discovered that the original executable contains a resource 154 00:11:07,460 --> 00:11:10,140 if you are a little bit familiar with the PE format 155 00:11:10,140 --> 00:11:12,780 the executable file format on Windows systems 156 00:11:12,780 --> 00:11:17,380 you might know that there are containers that you can use to store additional data 157 00:11:17,380 --> 00:11:19,200 or attatch data to a binary 158 00:11:19,200 --> 00:11:20,418 they are called resources 159 00:11:20,418 --> 00:11:24,460 so this binary had a resource and there was some encrypted data in there 160 00:11:24,460 --> 00:11:30,860 which turned out to be a DLL that contains the actual malicious functionality 161 00:11:30,860 --> 00:11:35,220 and the interesting thing is that this resource is XOR-encrypted 162 00:11:35,220 --> 00:11:38,700 now XOR is not a particularly strong encryption scheme 163 00:11:38,700 --> 00:11:41,780 but never the less, if the key is long enough 164 00:11:41,780 --> 00:11:43,180 like 4 bytes in this case 165 00:11:43,180 --> 00:11:45,180 I mean you can still probably brute-force it 166 00:11:45,180 --> 00:11:47,260 but well, you know 167 00:11:47,260 --> 00:11:54,620 we figured that every executable that's deployed onto an ATM has the resource 168 00:11:54,620 --> 00:12:01,580 encrypted with a key that is derived from the volume serial 169 00:12:01,580 --> 00:12:04,780 which is an ID that is assigned to a hard drive when it's formatted 170 00:12:04,780 --> 00:12:06,420 by the operating system 171 00:12:06,420 --> 00:12:13,460 that means that every executable that's deployed onto an ATM is taylored specifically for this ATM 172 00:12:13,460 --> 00:12:17,620 so it's not mass-malware that you can install on any ATM 173 00:12:17,620 --> 00:12:21,830 each executable only runs one one very specific ATM 174 00:12:21,830 --> 00:12:23,580 and that's interesting 175 00:12:23,580 --> 00:12:29,500 I mean of course that raises the question: How do they get this ID in the first place? 176 00:12:29,500 --> 00:12:32,460 How do they create this binary with the encrypted resource? 177 00:12:32,460 --> 00:12:35,140 Where do they get the volume serials from? 178 00:12:35,140 --> 00:12:36,740 and there are basically two options 179 00:12:36,740 --> 00:12:38,340 I mean we don't have the answers to these questions 180 00:12:38,340 --> 00:12:40,100 but there are only two options 181 00:12:40,100 --> 00:12:46,900 one is: they go to the ATMs the first time, run their stuff 182 00:12:46,900 --> 00:12:50,200 and extract the volume serial ID from the system 183 00:12:50,200 --> 00:12:53,420 then go home, prepare the malware and then come back to infect the system 184 00:12:53,420 --> 00:12:56,410 which seems kind of risky, because 185 00:12:56,410 --> 00:12:59,530 if you get caught while doing this... well then 186 00:12:59,530 --> 00:13:01,010 you'll lose something 187 00:13:01,010 --> 00:13:04,380 the other option is... 188 00:13:04,380 --> 00:13:08,330 we'll leave that to your imagination 189 00:13:14,590 --> 00:13:16,200 so what we did 190 00:13:16,200 --> 00:13:25,580 what you see here on the right hand side is some code that is executed after the XOR-decryption of the resource 191 00:13:25,580 --> 00:13:29,300 and if you look closely enought you can see in the first basic block up there 192 00:13:29,300 --> 00:13:33,200 it checks if the first byte of the decrypted data is an "M" 193 00:13:33,200 --> 00:13:36,580 and then the next one checks if the next byte - the second byte - is a "Z" 194 00:13:36,580 --> 00:13:40,580 which is part of the PE file header - MZ header 195 00:13:40,580 --> 00:13:45,380 so we figured: okay, this is probably an executable 196 00:13:45,380 --> 00:13:47,700 and that's how we recovered the original code 197 00:13:47,700 --> 00:13:50,340 we assumed that this is an executable and then 198 00:13:50,340 --> 00:13:52,420 you can call it a known plaintext attack or something like that 199 00:13:52,420 --> 00:13:57,860 we reverted the XOR-encryption and recovered the DLL 200 00:13:57,860 --> 00:14:01,900 and after this happened, of course 201 00:14:01,900 --> 00:14:06,220 the dropper runs some checksumming code 202 00:14:06,220 --> 00:14:16,500 to verify that the extracted and decrypted code is actually the DLL it wants to run 203 00:14:21,740 --> 00:14:24,300 so after we recovered this malicious DLL 204 00:14:24,300 --> 00:14:26,380 we took a closer look at that one 205 00:14:26,380 --> 00:14:33,260 and it's dropped into this path up there under the system directory 206 00:14:33,260 --> 00:14:38,180 and the value in the squared brackets over there is again derived from the volume ID 207 00:14:38,180 --> 00:14:40,820 so if you come across one of these DLLs 208 00:14:40,820 --> 00:14:42,820 you can take a look at the file name 209 00:14:42,820 --> 00:14:45,900 and that's linked to the ATM it's supposed to run on 210 00:14:45,900 --> 00:14:48,140 because of the naming scheme here 211 00:14:48,140 --> 00:14:53,200 so that's how - and of course I mean you can see all of that in the code 212 00:14:53,200 --> 00:14:56,600 that the second value there is hard-coded 213 00:14:56,600 --> 00:15:03,460 that's how we figured: okay this sample was supposed to run on an ATM with this volueme ID 214 00:15:03,460 --> 00:15:06,260 and then we came across something else 215 00:15:06,260 --> 00:15:08,460 something that's as interesting 216 00:15:08,460 --> 00:15:13,460 this DLL, or the malware in general writes a log file 217 00:15:13,460 --> 00:15:17,180 and stores this on the USB drive that's used for the infection process 218 00:15:17,180 --> 00:15:19,073 and that's pretty verbose 219 00:15:19,073 --> 00:15:20,966 if you look at this 220 00:15:20,966 --> 00:15:22,860 again we have to apologize that's it a little blurry 221 00:15:22,860 --> 00:15:25,700 but there you can see 222 00:15:25,700 --> 00:15:28,540 it's basically what is executed when the batch script runs, right? 223 00:15:28,540 --> 00:15:31,660 there is a file name up there 224 00:15:31,660 --> 00:15:35,980 if you can see that 978-blablabla DLL and some others 225 00:15:35,980 --> 00:15:44,380 and suprisingly this log file contained information about three other infections that took place 226 00:15:44,380 --> 00:15:48,820 so we switch to the next slide 227 00:15:48,820 --> 00:15:50,820 with that information we can say 228 00:15:50,820 --> 00:15:54,900 we have information that these guys infected at least four ATMs 229 00:15:54,900 --> 00:15:57,200 the ones where we had that DLL for 230 00:15:57,200 --> 00:15:58,780 and then these other three 231 00:15:58,780 --> 00:16:01,860 that we recover from the log file 232 00:16:01,860 --> 00:16:04,780 log file - again - is XOR-encrypted, but the key is hard-coded 233 00:16:04,780 --> 00:16:08,700 so we could recover it from the code and then decrypt the log file and read it 234 00:16:08,700 --> 00:16:11,900 this is an abbreviated version 235 00:16:11,900 --> 00:16:13,900 the most interesting lines from the log 236 00:16:13,900 --> 00:16:18,340 you can see that these ATMs run in fact Windows XP 237 00:16:18,340 --> 00:16:19,520 yeah... 238 00:16:21,940 --> 00:16:29,540 sb: what probably is quite intersting here is that we have information about three different teller machines 239 00:16:29,540 --> 00:16:31,940 that were infected with this USB device 240 00:16:31,940 --> 00:16:37,340 in clear text and we have it additionally in this somehow encrypted log file 241 00:16:37,340 --> 00:16:41,740 so the question is: Why do we have that twice? 242 00:16:41,740 --> 00:16:43,380 Why do we have this log file? 243 00:16:43,380 --> 00:16:45,260 And why didn't they remove that files? 244 00:16:45,260 --> 00:16:50,860 actually for every new infection they have to build up a new exe device 245 00:16:50,860 --> 00:16:55,600 which is encrypted with the volume serial ID from this machine 246 00:16:55,600 --> 00:16:58,200 and they would have enough time to clear that up 247 00:16:58,200 --> 00:16:59,580 but they didn't do it 248 00:16:59,580 --> 00:17:04,490 so furthermore the question broke: Why didn't they? 249 00:17:09,220 --> 00:17:12,860 tw: okay, now in this part we wanna talk a little bit more about the actual payload 250 00:17:12,860 --> 00:17:17,500 the malicious code that's executed on the compromised ATM 251 00:17:17,500 --> 00:17:20,030 you know, the interesting bit 252 00:17:21,140 --> 00:17:25,260 what you can see here is a list of some facts that we discovered 253 00:17:25,260 --> 00:17:29,500 again this file contains some encrypted resources 254 00:17:29,500 --> 00:17:33,260 this time they're encrypted with the static key that you see up there 255 00:17:33,260 --> 00:17:37,700 so by looking at the code we obtained this key and could easily recover the resources 256 00:17:37,700 --> 00:17:43,138 and they contained images like the one you see on the right hand side, up there 257 00:17:43,138 --> 00:17:48,940 obviously stuff they wanted to display on the ATM screen, right? 258 00:17:48,940 --> 00:17:52,820 we changed the coloring scheme and some other stuff here a little bit 259 00:17:52,820 --> 00:17:55,580 because we don't wanna disclose the target here 260 00:17:55,580 --> 00:18:00,260 yeah that's what they store in these resources 261 00:18:00,260 --> 00:18:04,260 another thing that was in there, is this sdelete tool from Sysinternals 262 00:18:04,260 --> 00:18:08,180 maybe some of you are familiar with that 263 00:18:08,180 --> 00:18:10,980 a publicly available tool for secure file deletion 264 00:18:10,980 --> 00:18:16,200 so you know, you override the file with specific byte patterns before you remove it 265 00:18:16,200 --> 00:18:19,380 and they used that to remove forensic artefacts 266 00:18:19,380 --> 00:18:21,300 forensic traces from the system 267 00:18:21,300 --> 00:18:23,300 for example when they're uninstalling the malware 268 00:18:23,300 --> 00:18:25,860 because you can also uninstall it from an ATM 269 00:18:25,860 --> 00:18:30,940 but in case this fails for whatever reason, they have some backup code in the malware 270 00:18:30,940 --> 00:18:34,780 some backup secure undelete code that does basically the same stuff 271 00:18:34,780 --> 00:18:37,540 it overwrites the data first and then it deletes the file 272 00:18:37,540 --> 00:18:40,420 so it's kinda interesting that it put a lot of effort into 273 00:18:40,420 --> 00:18:42,420 covering up their, you know 274 00:18:42,420 --> 00:18:45,540 hiding their traces on the system 275 00:18:45,540 --> 00:18:47,100 and by the way 276 00:18:47,100 --> 00:18:49,200 we will give you a demo in a few minutes 277 00:18:49,200 --> 00:18:51,900 and show you the whole process 278 00:18:51,900 --> 00:18:54,260 how you interact with an infected ATM 279 00:18:54,260 --> 00:18:57,500 you will see the other screens as well 280 00:19:01,860 --> 00:19:07,380 then of course for most malware it's important to become persistent on the infected system 281 00:19:07,380 --> 00:19:13,780 because when it reboots for whatever reason, you want the malware to automatically load again 282 00:19:13,780 --> 00:19:27,030 and these guys do that by writing the drop DLL into the AppInit DLLs value in the windows registry 283 00:19:27,030 --> 00:19:29,340 for those of you, who are not familiar with the value 284 00:19:29,340 --> 00:19:34,860 you can specify libraries in there that are loaded into every process that starts up 285 00:19:34,860 --> 00:19:39,700 so by this you make sure that the malicious DLL is loaded into every proess that starts 286 00:19:39,700 --> 00:19:42,910 within the current logon session at least 287 00:19:43,980 --> 00:19:48,180 what you see down there is some decompiled source code 288 00:19:48,180 --> 00:19:51,580 basically the main function of the malware 289 00:19:51,580 --> 00:19:53,140 of the DLL 290 00:19:53,140 --> 00:19:54,980 and what you can see there 291 00:19:54,980 --> 00:19:58,100 there are several checks running in cash client one 292 00:19:58,100 --> 00:20:01,140 cash client is the term for the software that controlles the ATM 293 00:20:01,140 --> 00:20:02,660 that is running on the ATM 294 00:20:02,660 --> 00:20:04,900 and controls the dispenser and so on 295 00:20:04,900 --> 00:20:09,140 so it does this check and if this returns true, it starts some routine 296 00:20:09,140 --> 00:20:14,260 and if some other checks succeed, then it calls some other functions and so on 297 00:20:14,260 --> 00:20:20,460 basically what's happening here is that the DLL checks the name of the process it's running in 298 00:20:20,460 --> 00:20:24,340 and then depending on this name it invokes certain functionality 299 00:20:24,340 --> 00:20:29,940 and we believe that by doing this they implement support for different cash clients 300 00:20:29,940 --> 00:20:36,580 this line down here, running in lsass.exe is also interesting 301 00:20:36,580 --> 00:20:40,540 because the DLL is also obviously loaded into 302 00:20:40,540 --> 00:20:42,340 what's lsass again? local system... 303 00:20:42,340 --> 00:20:44,860 some windows process 304 00:20:44,860 --> 00:20:47,300 is also loaded into that one of course 305 00:20:47,300 --> 00:20:49,660 because of the AppInit thing 306 00:20:49,660 --> 00:20:54,260 if it's running in this, it doesn't interact with the cash client ATM software at all 307 00:20:54,260 --> 00:21:00,600 the DLL that's running in there is an event processor 308 00:21:00,600 --> 00:21:02,860 for example, if you wanna uninstall the software 309 00:21:02,860 --> 00:21:05,460 you basically create an uninstall event 310 00:21:05,460 --> 00:21:07,940 and then the instance running in this process here 311 00:21:07,940 --> 00:21:11,140 handles the event and removes the file and so on 312 00:21:11,140 --> 00:21:13,140 and cleans up all traces 313 00:21:13,140 --> 00:21:15,620 sb: what's also quite interesting here 314 00:21:15,620 --> 00:21:19,100 you can see that later on, when we discover the malware itself 315 00:21:19,100 --> 00:21:22,100 they have really somthing like a development cycle 316 00:21:22,100 --> 00:21:24,260 it's really professional made up 317 00:21:24,260 --> 00:21:31,900 because within the first infections we could find this malicious DLL within this AppInit hive key 318 00:21:31,900 --> 00:21:37,780 there was an incident where the forensic team could discover it there 319 00:21:37,780 --> 00:21:39,900 because it's quite obvious, you know 320 00:21:39,900 --> 00:21:45,420 the AppInit DLL key is very famous for any malware 321 00:21:45,420 --> 00:21:47,580 that should start at startup 322 00:21:47,580 --> 00:21:48,900 and they improved it 323 00:21:48,900 --> 00:21:55,220 so later on, they just added this malicious DLL to the DLLs which are started 324 00:21:55,220 --> 00:21:56,940 just when the cash client is started 325 00:21:56,940 --> 00:22:00,580 so it's also started from the startup, but it's not as loud 326 00:22:00,580 --> 00:22:05,220 so you have to have to search quite deeper to find it 327 00:22:07,620 --> 00:22:10,260 tw: Where are we? Are we on time? How are we doing? 328 00:22:10,260 --> 00:22:12,620 How much time do we have left? 329 00:22:18,420 --> 00:22:19,250 okay, plenty of time 330 00:22:19,250 --> 00:22:20,420 great 331 00:22:20,420 --> 00:22:28,180 so we know, how the malware becomes persistent 332 00:22:28,180 --> 00:22:31,620 we know how it makes sure that it runs on the system 333 00:22:31,620 --> 00:22:36,900 so it injects this DLL into all these processes 334 00:22:36,900 --> 00:22:39,700 now of course we wanna know how to interact with it 335 00:22:39,700 --> 00:22:41,819 because there must be a way of interacting with the malware 336 00:22:41,819 --> 00:22:50,540 and what we found out by reverse engineering code is that the DLL that's running in the cash client 337 00:22:50,540 --> 00:22:53,500 installs a hook for keyboard events 338 00:22:53,500 --> 00:22:57,620 so whenever you press a key on the keyboard which in this case is the num pad 339 00:22:57,620 --> 00:23:02,940 this is trapped by the malware and processed 340 00:23:02,940 --> 00:23:05,900 and what they do is, they process only number keys 341 00:23:05,900 --> 00:23:07,180 for obvious reasons 342 00:23:07,180 --> 00:23:08,980 because that's the only kind of keys that you can enter 343 00:23:08,980 --> 00:23:11,780 and if you enter the code that you've seen on the first slide 344 00:23:11,780 --> 00:23:19,620 you activate a hidden menu that allows you to choose the several options 345 00:23:19,620 --> 00:23:24,200 that you can use to control the ATM 346 00:23:27,870 --> 00:23:29,540 but they have implemented an additional measure 347 00:23:29,540 --> 00:23:34,220 because, you know, it's possible that somebody by accident enters the right 12 digits 348 00:23:34,220 --> 00:23:37,100 and then *suprise* this thing pops up 349 00:23:37,100 --> 00:23:39,500 and you can dispense all the money from the ATM 350 00:23:39,500 --> 00:23:41,700 of course they don't want that to happen 351 00:23:41,700 --> 00:23:44,260 so they have implemented a challenge-response scheme 352 00:23:44,260 --> 00:23:48,300 so when you enter the 12 digit code, the first menu allowes you to say 353 00:23:48,300 --> 00:23:50,300 present me with a challenge 354 00:23:50,300 --> 00:23:54,700 and then the malware generates a random or like a secret code 355 00:23:54,700 --> 00:23:57,460 where the scheme to generate it is secret 356 00:23:57,460 --> 00:23:59,900 and you have to enter a response 357 00:23:59,900 --> 00:24:02,140 that's not easy to crack 358 00:24:02,140 --> 00:24:03,980 what they do in this case 359 00:24:03,980 --> 00:24:10,100 because of the poor guy who goes to the ATM to cash out is not the brain behind the whole operation 360 00:24:10,100 --> 00:24:13,660 they're likely to get arrested 361 00:24:13,660 --> 00:24:17,540 so they probably don't want to transfer the knowledge 362 00:24:17,540 --> 00:24:21,100 how to generate the response for the challenge to these people 363 00:24:21,100 --> 00:24:26,140 can you tell the story about the phone calls? 364 00:24:26,140 --> 00:24:32,660 sb: yeah, actually they had a surveillance video where they could monitor just one of their cash guys 365 00:24:32,660 --> 00:24:37,380 which just currently had entered the secret 12 digits 366 00:24:37,380 --> 00:24:43,460 and you can see on this video that he has already one part of this hack view 367 00:24:43,460 --> 00:24:47,780 and after that he just took a cell phone 368 00:24:47,780 --> 00:24:52,620 and called somebody and you can see that within that call 369 00:24:52,620 --> 00:24:59,820 he types another number and right after that, he starts cashing out the teller machines 370 00:24:59,820 --> 00:25:05,700 that's exactly that challenge-response check, he was talking about 371 00:25:05,700 --> 00:25:10,300 so this proves that they don't want anything to chance 372 00:25:10,300 --> 00:25:18,500 they wanna control which teller machine is cached out and exactly when and who does the cash out 373 00:25:18,500 --> 00:25:24,619 so this may implicate that they don't trust their own people, do they? 374 00:25:24,619 --> 00:25:30,740 tw: so, I mean we tried to bring you this video where the guy makes the phone call 375 00:25:30,740 --> 00:25:34,140 but obviously the bank that was targeted here 376 00:25:34,140 --> 00:25:38,620 they're a little concerned about their identity beeing disclosed 377 00:25:38,620 --> 00:25:40,620 so unfortunately we couldn't get it 378 00:25:40,620 --> 00:25:43,620 but, well, you have to trust us on that 379 00:25:43,620 --> 00:25:46,140 that's how they probably do it 380 00:25:46,140 --> 00:25:52,660 another thing is that these guys already anticipated that somebody would get a copy of the malware 381 00:25:52,660 --> 00:25:55,300 and then probably start to reverse engineer it 382 00:25:55,300 --> 00:25:58,100 and understand how it works 383 00:25:58,100 --> 00:25:59,780 and of course the worst thing that can happen is 384 00:25:59,780 --> 00:26:03,700 if somebody recovers the challenge-response functionality in that code 385 00:26:03,700 --> 00:26:09,260 and then goes to all the hacked ATMs and, you know, jackpots them 386 00:26:09,260 --> 00:26:11,180 insted of these guys 387 00:26:11,180 --> 00:26:15,220 so they figured: okay, we need a means to protect that really important code 388 00:26:15,220 --> 00:26:18,260 and that's not the only part, that's protected 389 00:26:18,260 --> 00:26:22,500 there are several pieces that are, you know, critical 390 00:26:22,500 --> 00:26:24,260 so to speak 391 00:26:24,260 --> 00:26:26,900 so this challenge-response thing is one of them 392 00:26:26,900 --> 00:26:31,740 and the other parts that are protected is everything that interacts wih the cash client 393 00:26:31,740 --> 00:26:37,940 so by looking at the code you would never see a direct API call or DLL function call 394 00:26:37,940 --> 00:26:40,260 into the cash clients libraries 395 00:26:40,260 --> 00:26:41,860 all of this stuff is protected 396 00:26:41,860 --> 00:26:46,220 and I'm gonna talk a little bit more about how they do that 397 00:26:48,230 --> 00:26:51,620 it's a little bit hard to put that... 398 00:26:51,620 --> 00:26:53,700 to find the right words for it 399 00:26:53,700 --> 00:26:57,340 we have a picture of that in our mind, but... 400 00:26:57,340 --> 00:26:59,500 we call that a state machine 401 00:26:59,500 --> 00:27:04,140 so their obfuscation method is basically control flow obfuscation 402 00:27:04,140 --> 00:27:08,540 when you look at some code statially, you can see this function is calling that function 403 00:27:08,540 --> 00:27:11,180 and then this is calling that under this condition and so on 404 00:27:11,180 --> 00:27:13,300 that's the control flow in the code 405 00:27:13,300 --> 00:27:16,900 but if you don't wanna disclose that function A is calling function B 406 00:27:16,900 --> 00:27:19,380 you have to put something in between 407 00:27:19,380 --> 00:27:21,300 that obfuscates this relationship 408 00:27:21,300 --> 00:27:25,220 they implemented a state-machine 409 00:27:25,220 --> 00:27:26,980 that's what we call it 410 00:27:26,980 --> 00:27:28,580 and this state machine consumes a buffer 411 00:27:28,580 --> 00:27:31,180 a static buffer that's somewhere in the binary 412 00:27:31,180 --> 00:27:34,140 and performs some computation on the bytes 413 00:27:34,140 --> 00:27:37,220 and the result is the address of the function to call 414 00:27:37,220 --> 00:27:41,980 at some point you say: state machine, here is a buffer 415 00:27:41,980 --> 00:27:43,460 do your thing 416 00:27:43,460 --> 00:27:46,300 and then the state machine starts computing the address to call 417 00:27:46,300 --> 00:27:48,380 or that's only one scenario 418 00:27:48,380 --> 00:27:51,200 the other scenario is that you wanna compute a certain value 419 00:27:51,200 --> 00:27:54,600 for example, you enter the response for a particular challenge 420 00:27:54,600 --> 00:28:01,580 and then the state machine with its functions computes some other value 421 00:28:01,580 --> 00:28:04,860 that it compares to a challange or something 422 00:28:04,860 --> 00:28:08,940 and this computation as well is protected by the state machine 423 00:28:08,940 --> 00:28:13,178 and you can see a little snippet of that on the right hand side 424 00:28:13,178 --> 00:28:17,380 again, if you can read it, you can see there's a lot of junk code in there 425 00:28:17,380 --> 00:28:21,600 those of you who are familiar with polymorphism 426 00:28:21,600 --> 00:28:23,540 polymorphic malware or other stuff like that 427 00:28:23,540 --> 00:28:28,140 you will immediately see that some of the functions in there are total garbage 428 00:28:28,140 --> 00:28:31,500 like for example, the SUB AL e1 429 00:28:31,500 --> 00:28:36,500 and then, you know, some values are subtracted from a register first and then added again 430 00:28:36,500 --> 00:28:38,740 so it's basically doing nothing 431 00:28:38,740 --> 00:28:44,700 this junk code stuff is one method of obfuscation 432 00:28:44,700 --> 00:28:47,740 and the other is, what's usally called "spaghetti code" 433 00:28:47,740 --> 00:28:49,620 you know, it's jumping back and forth 434 00:28:49,620 --> 00:28:52,500 and calling subroutines all over the place 435 00:28:52,500 --> 00:28:56,980 and I think it's really hard or next to impossible to reverse engineer that 436 00:28:56,980 --> 00:28:59,460 at least we spent several days 437 00:28:59,460 --> 00:29:00,740 weeks even 438 00:29:00,740 --> 00:29:02,900 and we couldn't really figure out how the state machine works 439 00:29:02,900 --> 00:29:04,220 and that's really the purpose 440 00:29:04,220 --> 00:29:08,380 but fortunately for us there was a solution for this 441 00:29:08,380 --> 00:29:12,700 and that is what the little colored bar at the bottom of the slide shows you 442 00:29:12,700 --> 00:29:17,500 again, this is something that IDA Pro generates for you, this disassembler tool 443 00:29:17,500 --> 00:29:20,300 you can see the blue stuff at the front 444 00:29:20,300 --> 00:29:24,780 that's the real code of the malware 445 00:29:24,780 --> 00:29:27,100 all of that lives in the code section 446 00:29:27,100 --> 00:29:28,700 and is at the beginning 447 00:29:28,700 --> 00:29:31,540 and the green stuff here is library functions 448 00:29:31,540 --> 00:29:33,978 here we have some data 449 00:29:33,978 --> 00:29:36,700 and at the end there is some code again 450 00:29:36,700 --> 00:29:39,100 and suprisingly this is the state machine 451 00:29:39,100 --> 00:29:42,780 and it's pretty convenient for us that this is somewhere else in the memory layout 452 00:29:42,780 --> 00:29:43,980 so what you can do is 453 00:29:43,980 --> 00:29:46,780 you can put a memory break point a the section here 454 00:29:46,780 --> 00:29:51,740 and by doing this trap every attempt to execute the state machine code 455 00:29:51,740 --> 00:29:54,140 and then when you're in the state machine 456 00:29:54,140 --> 00:29:57,660 you put a break point on the original, on the real code, up there 457 00:29:57,660 --> 00:30:01,800 and you get the exit point of the state machine 458 00:30:01,800 --> 00:30:05,580 by doing this you can basically treat the state machine as a black box 459 00:30:05,580 --> 00:30:07,580 you don't care about the calculations at all 460 00:30:07,580 --> 00:30:12,200 you can still reconstruct the relationship between the calling function and the callee 461 00:30:12,200 --> 00:30:14,980 okay 462 00:30:14,980 --> 00:30:23,580 unfortunately we couldn't use this break point method to understand how these value calculations are performed 463 00:30:23,580 --> 00:30:29,220 but, well, you still can inspect memory and somehow understand a little bit of that somehow at least 464 00:30:33,260 --> 00:30:38,459 okay now we wanna demo to you how this thing looks like 465 00:30:38,459 --> 00:30:42,200 unfortunately we don't own an ATM that we can infect 466 00:30:42,200 --> 00:30:46,710 but we have a virtual machine here that's running the malware 467 00:30:48,270 --> 00:30:50,500 and we've patched the malware a little bit here 468 00:30:50,500 --> 00:30:51,900 I think we didn't tell you 469 00:30:51,900 --> 00:30:54,420 so what's happening is these screens when you enter the secret code 470 00:30:54,420 --> 00:30:57,180 these screens that you saw on the slide 471 00:30:57,180 --> 00:31:01,140 they're displayed on a second desktop 472 00:31:01,140 --> 00:31:03,580 on Windows you can have as many desktops 473 00:31:03,580 --> 00:31:05,660 like virtual desktops as you want 474 00:31:05,660 --> 00:31:08,260 and then switch back and forth between these desktops 475 00:31:08,260 --> 00:31:09,420 so what's happening is 476 00:31:09,420 --> 00:31:11,180 these screens are displayed on a second desktop 477 00:31:11,180 --> 00:31:15,300 and then execution switches over 478 00:31:15,300 --> 00:31:17,940 the displays which is over to this desktop 479 00:31:17,940 --> 00:31:21,700 so you leave the original ATM display and it's process alone 480 00:31:21,700 --> 00:31:24,340 you just switch over to your secret menu desktop 481 00:31:24,340 --> 00:31:27,150 and when you're done, you can switch back 482 00:31:28,100 --> 00:31:31,140 that's a little difficult to debug 483 00:31:31,140 --> 00:31:34,620 because when you do that, when you're running in a debugger and using break points and stuff 484 00:31:34,620 --> 00:31:38,740 and the malware all of a sudden switches to a second desktop 485 00:31:38,740 --> 00:31:42,200 you can't control the debugger anymore, because it's running on the first desktop 486 00:31:42,200 --> 00:31:47,740 so we had to patch a few things to make it more convenient for us to demonstrate this 487 00:31:47,740 --> 00:31:50,880 and that's what we're gonna do now 488 00:31:56,140 --> 00:31:57,820 can you...? 489 00:31:57,820 --> 00:32:01,580 so we have this little Windows XP VM 490 00:32:01,580 --> 00:32:04,140 because we want to be accurate, right? 491 00:32:04,140 --> 00:32:07,700 and I'm gonna start two processes here 492 00:32:07,700 --> 00:32:11,580 one is: I have some little batch scripts 493 00:32:11,580 --> 00:32:17,620 one is the one that simulates the malware running in the lsass process 494 00:32:17,620 --> 00:32:23,860 and the other one simulates the malware running in the cash client 495 00:32:23,860 --> 00:32:25,220 this one here 496 00:32:25,220 --> 00:32:32,200 and let's just presume that this is showing the stardard ATM screen here 497 00:32:32,200 --> 00:32:34,820 so "Enter your PIN" and stuff like that, okay 498 00:32:34,820 --> 00:32:36,780 so what we're gonna do now is 499 00:32:36,780 --> 00:32:40,700 we're gonna enter the 12 digit secret code that we saw on the first slide 500 00:32:40,700 --> 00:32:44,470 you remember that, right? 501 00:32:48,310 --> 00:32:52,340 and if you do that, you're presented with this menu here 502 00:32:58,650 --> 00:33:01,500 do you wanna talk about those values? how that's calculated? 503 00:33:01,500 --> 00:33:02,900 sb: yeah probably 504 00:33:02,900 --> 00:33:08,100 so the only thing which is hard coded are the three lines at the bottom here 505 00:33:08,100 --> 00:33:16,260 and all of the rest is just generated with the actual amounts they find on this ATM 506 00:33:16,260 --> 00:33:20,540 so the ATMs, they have a lot of loo files which they create 507 00:33:20,540 --> 00:33:23,980 and they're just saved on the hard drive 508 00:33:23,980 --> 00:33:25,660 and within that files 509 00:33:25,660 --> 00:33:31,180 every payment transaction is noted 510 00:33:31,180 --> 00:33:34,260 what the malware does is 511 00:33:34,260 --> 00:33:36,740 it requests the newest of that files 512 00:33:36,740 --> 00:33:41,700 and just pulls the values into that screen 513 00:33:41,700 --> 00:33:48,140 and so the attacker is presented with the actual value of the amount of money 514 00:33:48,140 --> 00:33:52,660 and there he can just choose which one he wants to cash out 515 00:33:52,660 --> 00:33:57,700 so just the 100 bills, or all of them 516 00:33:57,700 --> 00:33:59,700 this is quite interesting 517 00:33:59,700 --> 00:34:05,740 we took this screen from an ATM which was already attacked 518 00:34:05,740 --> 00:34:14,220 there you can see that especially, or only the $100 cash cassette was cashed out 519 00:34:14,220 --> 00:34:24,500 because, you know how long it takes if you're just cashing out 100 or 200 Dollars or Euros 520 00:34:24,500 --> 00:34:30,660 and if you can imagine if you have a whole cassette full of money 521 00:34:30,660 --> 00:34:33,420 that takes a lot of time 522 00:34:33,420 --> 00:34:43,420 so this is why they most likely just cashed out this cassette with the most valuable input 523 00:34:43,420 --> 00:34:48,500 tw: so what I can do now is 524 00:34:48,500 --> 00:34:51,340 I can either press "0" and then I leave that again 525 00:34:51,340 --> 00:34:55,300 and, you know, ATM shows its standard screen again 526 00:34:55,300 --> 00:34:57,300 or I press "1" 527 00:34:57,300 --> 00:35:01,380 I'm gonna do that now, just to show you what's happening 528 00:35:01,380 --> 00:35:05,420 and now it's challenging me with this code here 529 00:35:05,420 --> 00:35:09,260 and I have to enter the response 530 00:35:09,260 --> 00:35:12,660 and yeah, I mean, it's a 6 digit number 531 00:35:12,660 --> 00:35:14,260 the problem is 532 00:35:14,260 --> 00:35:17,700 because we're not running on a real ATM, we cannot simulate this here 533 00:35:17,700 --> 00:35:20,100 so I mean, I can enter a number here 534 00:35:20,100 --> 00:35:24,900 but even if it would be the right one and it would accept this 535 00:35:24,900 --> 00:35:29,620 we wouldn't be able to go any further, because some pieces are missing here 536 00:35:29,620 --> 00:35:33,580 unfortunately... let me restart this 537 00:35:45,140 --> 00:35:46,980 there we go again 538 00:35:49,790 --> 00:35:52,419 usually what happens is 539 00:35:52,419 --> 00:35:54,100 you press "1" 540 00:35:54,100 --> 00:35:57,200 you get the challenge code 541 00:35:57,200 --> 00:35:59,420 you call your HQ 542 00:35:59,420 --> 00:36:00,756 you get the response code 543 00:36:00,756 --> 00:36:02,182 you enter your response code 544 00:36:02,182 --> 00:36:05,740 and then you have access to this second level menu, so to speak 545 00:36:05,740 --> 00:36:08,860 that allows you to actually cash out 546 00:36:08,860 --> 00:36:12,900 well, as I said, we cannot really do that here 547 00:36:12,900 --> 00:36:17,200 so we have to simulate the fact that we're authenticated 548 00:36:17,200 --> 00:36:20,340 we entered the right response code 549 00:36:20,340 --> 00:36:24,110 for that we patched a little bit in this DLL 550 00:36:24,110 --> 00:36:27,068 unfortunately we have to wait for three minutes now 551 00:36:27,068 --> 00:36:29,096 because there is a timeout 552 00:36:29,096 --> 00:36:33,540 they implemented a timeout as a measure to not leave this screen open 553 00:36:33,540 --> 00:36:35,600 when, you know, something happens 554 00:36:35,600 --> 00:36:37,620 the guy has to run off or something 555 00:36:37,620 --> 00:36:39,620 because police is coming or something 556 00:36:39,620 --> 00:36:41,380 and then you don't want to leave this on the scren 557 00:36:41,380 --> 00:36:44,940 so they implemented a timer that fires after three minutes 558 00:36:44,940 --> 00:36:48,200 and then after three minutes this window is closed 559 00:36:48,200 --> 00:36:53,580 we patched this timer, that after three minutes the second layer menu is opened instead 560 00:36:53,580 --> 00:36:57,900 we have to talk a little bit more, until that happens now 561 00:36:57,900 --> 00:37:01,540 sb: probably about the version number 562 00:37:01,540 --> 00:37:05,500 cause there you can see, they named their software 563 00:37:05,500 --> 00:37:10,780 typical software style of course 564 00:37:10,780 --> 00:37:13,260 with a four digit value number 565 00:37:13,260 --> 00:37:15,420 so they have really a development cycle 566 00:37:15,420 --> 00:37:17,200 for this malware 567 00:37:17,200 --> 00:37:23,300 and they really are improving that with nearly every attack they are doing 568 00:37:23,300 --> 00:37:27,300 they collect all facts they have, they improve antiforensics 569 00:37:27,300 --> 00:37:31,500 and build in a little more functionality 570 00:37:31,500 --> 00:37:36,780 you can really track these changes, they made 571 00:37:36,780 --> 00:37:39,820 this developement improves 572 00:37:42,840 --> 00:37:48,780 tw: another thing we can tell you meanwhile is that this challenge code is generated from two things 573 00:37:48,780 --> 00:37:51,780 again, we don't know how it's generated, we don't know the algorithm 574 00:37:51,780 --> 00:37:53,620 but we do know the input 575 00:37:53,620 --> 00:37:56,900 and the two things that are the input to this algorithm 576 00:37:56,900 --> 00:38:01,620 are an ID that's unique to the ATM 577 00:38:01,620 --> 00:38:04,600 or the station, whatever you wanna call it 578 00:38:04,600 --> 00:38:05,660 and a random value 579 00:38:05,660 --> 00:38:07,300 so there's some randomness in there 580 00:38:07,300 --> 00:38:11,860 by this you make sure that even if the same random value is chosen 581 00:38:11,860 --> 00:38:14,380 the codes are different for two different ATMs 582 00:38:14,380 --> 00:38:18,460 so the guy has to in fact call you and ask for the code 583 00:38:18,460 --> 00:38:23,580 he cannot, you know, just by accident enter the right thing and take the money for himself 584 00:38:23,580 --> 00:38:30,520 alright now would be a good time for the timer to fire 585 00:38:33,490 --> 00:38:34,940 let's see 586 00:38:34,940 --> 00:38:37,600 okay, I have another story 587 00:38:37,600 --> 00:38:40,140 the dropper executable 588 00:38:40,140 --> 00:38:45,900 when something goes wrong, they calculate an error message, an error code 589 00:38:45,900 --> 00:38:46,980 oh, there we go 590 00:38:46,980 --> 00:38:50,260 and this error code is derived from the value 1337 591 00:38:50,260 --> 00:38:52,820 so apparently they think they are leet 592 00:38:52,820 --> 00:38:57,980 which didn't really stop us from reverse engineering their software 593 00:39:04,200 --> 00:39:08,260 this screen is like what we showed on the second slide 594 00:39:08,260 --> 00:39:12,220 which basically says "this terminal is out of order, go to the next one" 595 00:39:12,220 --> 00:39:14,300 and when you see this 596 00:39:14,300 --> 00:39:15,860 I mean, two purposes: 597 00:39:15,860 --> 00:39:22,540 one: others who want to dispense money from the ATM, if they see this, they would not touch it 598 00:39:22,540 --> 00:39:24,600 and go to another one 599 00:39:24,600 --> 00:39:27,820 but this also tells you that now you can enter another code 600 00:39:27,820 --> 00:39:32,660 which turns out to be the same 12 digit sequence that we already know 601 00:39:32,660 --> 00:39:34,980 to enter the second hidden menu 602 00:39:34,980 --> 00:39:41,460 and there we go 603 00:39:41,460 --> 00:39:45,180 this is now the real menu that you can use to control the ATM 604 00:39:45,180 --> 00:39:49,660 again, you see the first four lines show you how much money for the different bills 605 00:39:49,660 --> 00:39:51,820 or different notes is in there 606 00:39:51,820 --> 00:39:53,980 but now you can actually, you know, cash out 607 00:39:53,980 --> 00:39:55,900 you can dispense that money from the machine 608 00:39:55,900 --> 00:40:07,900 so for example if I press "1", hopefully I can get the 300 R-Dollars 609 00:40:07,900 --> 00:40:11,860 or if I press "4", I can get the 50s 610 00:40:11,860 --> 00:40:18,300 so let me do that now and you can pay attention to the purple line at the bottom 611 00:40:18,300 --> 00:40:20,700 so I press "4" now 612 00:40:20,700 --> 00:40:24,740 and it said "wait" or "waiting" or something like that 613 00:40:24,740 --> 00:40:27,140 and now it says "command has failed" 614 00:40:27,140 --> 00:40:30,460 which is too bad because I wanted money, but my VM... 615 00:40:30,460 --> 00:40:32,220 the emulation is not that good 616 00:40:32,220 --> 00:40:36,600 sb: still didn't get to manage to really cash out some money from that machine here 617 00:40:36,600 --> 00:40:38,100 tw: that would be nice 618 00:40:38,100 --> 00:40:40,200 so I could now try to cash out 1, 2, 3, 4 619 00:40:40,200 --> 00:40:41,900 and always I get this failure message 620 00:40:41,900 --> 00:40:47,500 but this is where the malware actually interacts with the cash client 621 00:40:47,500 --> 00:40:54,820 it loads, or resolves the libraries that belong to this cash client and then calls the API functions 622 00:40:54,820 --> 00:40:58,220 to trigger the dispense functionality 623 00:40:58,220 --> 00:41:02,340 but the other options at the bottom of the screen are also interesting 624 00:41:02,340 --> 00:41:04,540 let me show you "7" and "8" first 625 00:41:04,540 --> 00:41:07,420 and that's why I have this little window open here 626 00:41:07,420 --> 00:41:08,460 I hope you can see that 627 00:41:08,460 --> 00:41:10,700 so this is my network connection 628 00:41:10,700 --> 00:41:13,140 the network devices that are installed 629 00:41:13,140 --> 00:41:19,600 and as she said, every ATM has a persistentnetwork connection to the bank 630 00:41:19,600 --> 00:41:22,300 so they can control what's going on and monitor and so on 631 00:41:22,300 --> 00:41:27,980 so probably before you wanna cash out, you wanna disable the network entirely 632 00:41:27,980 --> 00:41:30,200 and they can use "7" and "8" to do that 633 00:41:30,200 --> 00:41:37,300 so let me press "7", you take a look at that window on the right hand side 634 00:41:37,300 --> 00:41:39,660 you can see, the adapters are disabled now 635 00:41:39,660 --> 00:41:42,540 and now I'm going to press "8" again 636 00:41:42,540 --> 00:41:43,900 and now they're enabled again 637 00:41:43,900 --> 00:41:45,860 that's convenient, right 638 00:41:45,860 --> 00:41:49,820 so you can disable and enable the network adapters entirely 639 00:41:49,820 --> 00:41:54,380 if you press "6" you're going back to this mode 640 00:41:57,700 --> 00:42:01,900 and finally you can also format the system 641 00:42:04,180 --> 00:42:07,340 I mean obviously because you wanna remove all the traces 642 00:42:07,340 --> 00:42:11,780 so if I press "5", you see that little screen, that we already know 643 00:42:11,780 --> 00:42:14,860 from the slide 644 00:42:14,860 --> 00:42:16,620 they're somewhat cautious here 645 00:42:16,620 --> 00:42:19,500 again, if you do that, you can either press "0" 646 00:42:19,500 --> 00:42:21,780 then you get back to the previous menu 647 00:42:21,780 --> 00:42:25,700 or you can press "9" and confirm that you actually wanna format the system 648 00:42:25,700 --> 00:42:27,340 and doing that' now 649 00:42:27,340 --> 00:42:32,660 and again it presents you with a challenge and you have to enter a 6 digit response code 650 00:42:32,660 --> 00:42:38,340 the algorighm that's used to calculate this here is different from the previous one 651 00:42:38,340 --> 00:42:41,620 and I mean we figured it out somewhat 652 00:42:41,620 --> 00:42:46,500 but the funny thing is, that it doesn't actually format the system 653 00:42:46,500 --> 00:42:49,460 it just uninstalles the malware 654 00:42:49,460 --> 00:42:53,860 I don't know what the right answer to this is now 655 00:42:53,860 --> 00:42:56,980 if you enter the wrong one, it keeps asking 656 00:42:56,980 --> 00:43:00,820 and interestingly you cannot get out of this state anymore 657 00:43:00,820 --> 00:43:04,580 so if you don't know the right answer, you're trapped in this 658 00:43:04,580 --> 00:43:08,820 and after three minutes the "out of order" thing is displayed again 659 00:43:08,820 --> 00:43:13,200 but if you enter the sectet code, you don't have access to the main menu again 660 00:43:13,200 --> 00:43:15,460 you will always end up in this screen 661 00:43:15,460 --> 00:43:22,940 so unless you enter the right code here, well, you locked yourself out 662 00:43:26,880 --> 00:43:27,600 alright 663 00:43:27,600 --> 00:43:34,220 we wanna conclude with some speculation about the people behind this maybe 664 00:43:34,220 --> 00:43:36,660 we obviously don't really know who it is 665 00:43:36,660 --> 00:43:39,740 but, you know, there are some interesting facts 666 00:43:39,740 --> 00:43:46,200 and after that we'll open it up for questions and, you know, a little Q&A 667 00:43:46,200 --> 00:43:48,940 sb: what we really can tell for sure 668 00:43:48,940 --> 00:43:51,260 that they want to make serious money with that 669 00:43:51,260 --> 00:43:54,340 they put a lot of effort in implementing and investigating 670 00:43:54,340 --> 00:43:57,180 in coding actually 671 00:43:57,180 --> 00:44:04,420 they build up quite a big team to do that and they have apparently different roles 672 00:44:04,420 --> 00:44:06,460 that are strictly assigned 673 00:44:06,460 --> 00:44:11,420 so every role has his part and is able to do his part 674 00:44:11,420 --> 00:44:13,660 so it's quite separated 675 00:44:13,660 --> 00:44:18,860 for sure they have to have profound knowledge about the ATMs 676 00:44:18,860 --> 00:44:21,620 so most likely they really had one 677 00:44:21,620 --> 00:44:28,620 to test all these features and to really check whether the coding is correct 678 00:44:28,620 --> 00:44:30,380 whether they get any error messages 679 00:44:30,380 --> 00:44:32,100 something like that 680 00:44:32,100 --> 00:44:39,300 so either they probably robbed one and reverse engineered the original cash client 681 00:44:39,300 --> 00:44:41,180 to derive the malware from it 682 00:44:41,180 --> 00:44:45,420 or they most likely had someone in the inside 683 00:44:45,420 --> 00:44:48,220 which was just to... 684 00:44:48,220 --> 00:44:50,460 which had to develop the original cash client 685 00:44:50,460 --> 00:44:54,460 and therefore really knows exactly how this works 686 00:44:54,460 --> 00:45:00,380 how it's possible just to trigger a cash out 687 00:45:00,380 --> 00:45:04,500 without entering a valid card, the PIN code 688 00:45:04,500 --> 00:45:10,600 circumvent all the security measures that are implemented here 689 00:45:10,600 --> 00:45:15,700 they have quite good development skills 690 00:45:15,700 --> 00:45:19,500 so the code is quite sorted 691 00:45:19,500 --> 00:45:23,340 you see the development cycles 692 00:45:23,340 --> 00:45:36,820 they implement new features just like the AppInit DLL key stuff and so on 693 00:45:36,820 --> 00:45:46,860 at least they are capable of protecting the code against people like him 694 00:45:46,860 --> 00:45:49,900 they're just trying to reverse engineer malware 695 00:45:49,900 --> 00:45:53,600 and they really try to cover their tracks for forensic investigations 696 00:45:53,600 --> 00:45:58,820 so they made it really hard to get the pieces together 697 00:45:58,820 --> 00:46:06,580 to just have a full image of how that finally works together 698 00:46:06,580 --> 00:46:07,980 tw: alright 699 00:46:07,980 --> 00:46:11,540 that was almost the last slide 700 00:46:11,540 --> 00:46:13,580 you guys remember the 12 digits 701 00:46:13,580 --> 00:46:15,220 from the first slide 702 00:46:15,220 --> 00:46:18,300 so next time, before you dispense the money from an ATM, enter the 12 digits first 703 00:46:18,300 --> 00:46:20,740 to make sure that it's not hacked 704 00:46:20,740 --> 00:46:22,820 right, and if it is hacked 705 00:46:22,820 --> 00:46:29,600 then you enter this here 706 00:46:29,600 --> 00:46:31,140 because that uninstalls the malware 707 00:46:31,140 --> 00:46:41,070 *applause* 708 00:46:48,540 --> 00:46:54,420 well then we do a short Q&A, if it's okay for you 709 00:46:54,420 --> 00:46:57,180 please, everybody that has a question 710 00:46:57,180 --> 00:47:00,980 please line up on the microphones 711 00:47:00,980 --> 00:47:04,220 signed with the numbers 712 00:47:04,220 --> 00:47:20,540 and then we will do a short Q&A from approximately 8 to 10 minutes 713 00:47:20,540 --> 00:47:22,860 alright, let's start with you 714 00:47:22,860 --> 00:47:25,100 hi, I have two questions 715 00:47:25,100 --> 00:47:30,620 the first question is whether they were gathering PIN codes and no strips 716 00:47:30,620 --> 00:47:32,660 to be able to use them later on 717 00:47:32,660 --> 00:47:37,700 and the second question is whether the ATM is connected to the Internet through the network connection 718 00:47:37,700 --> 00:47:40,600 I didn't get all of that 719 00:47:40,600 --> 00:47:42,380 can the others be a little quiet 720 00:47:42,380 --> 00:47:45,180 so we have the chance to understand the questions 721 00:47:45,180 --> 00:47:46,900 sorry, can you please repeat? 722 00:47:46,900 --> 00:47:52,540 so my first question is whether the PIN codes and this magnetic strip 723 00:47:52,540 --> 00:47:57,660 or any other information linked to the credit card number is gathered by this malware 724 00:47:57,660 --> 00:48:02,980 and the second question is wether net network connection gives Internet access to the ATM 725 00:48:02,980 --> 00:48:06,980 let me answer the first one, and for the second one, I'll refer to her 726 00:48:06,980 --> 00:48:13,460 so this one could gather information like credit card stuff and so on 727 00:48:13,460 --> 00:48:14,660 but it doesn't 728 00:48:14,660 --> 00:48:16,200 not this one 729 00:48:16,200 --> 00:48:17,980 I didn't get the second question 730 00:48:17,980 --> 00:48:23,140 second question was: can you access the ATMs over the Internet? is there internet connection? 731 00:48:23,140 --> 00:48:27,580 no, actually they do not have an Internet connection 732 00:48:27,580 --> 00:48:30,940 but it is possible to build, so far 733 00:48:30,940 --> 00:48:35,220 we did that in a test, where we tested an ATM 734 00:48:35,220 --> 00:48:40,300 you can use this USB connection where they plugged in the bootable device 735 00:48:40,300 --> 00:48:45,903 and just put an UTMS stick there and then you have an Internet connection 736 00:48:45,903 --> 00:48:48,348 but by default there is none 737 00:48:48,348 --> 00:48:51,003 but we did that, yeah 738 00:48:51,003 --> 00:48:55,700 okay, then let's take number 1 739 00:48:55,700 --> 00:48:58,460 thank you for your talk 740 00:48:58,460 --> 00:48:59,900 I have two short questions 741 00:48:59,900 --> 00:49:03,200 what was the time span between the infection and the cash out? 742 00:49:03,200 --> 00:49:08,598 and did the attackers try to intercept card data? 743 00:49:09,298 --> 00:49:11,260 so, the second question is the same as the previous one 744 00:49:11,260 --> 00:49:14,180 they don't intercept any card data 745 00:49:14,180 --> 00:49:16,820 they don't gather like credit card information and stuff like that 746 00:49:16,820 --> 00:49:22,260 they only like jackpot - as Barnaby Jack called it - the ATMs 747 00:49:22,260 --> 00:49:24,580 they only dispense money from the ATM 748 00:49:24,580 --> 00:49:27,620 for the first question, what was the first question again? 749 00:49:27,620 --> 00:49:30,820 what was the time span between the infection and the cash out? 750 00:49:30,820 --> 00:49:34,580 how much time is between the infection and the actual cash out 751 00:49:34,580 --> 00:49:40,140 we discovered that were only two to three days 752 00:49:40,140 --> 00:49:47,180 so they could have any time between that, but they really try to make it short 753 00:49:47,180 --> 00:49:51,780 and of course they waited for the right time, so right after the recharging 754 00:49:51,780 --> 00:49:56,540 because thats the point of the most money 755 00:49:56,540 --> 00:49:59,140 okay, then number 3 please 756 00:49:59,140 --> 00:50:01,600 hi, thank you for your talk 757 00:50:01,600 --> 00:50:04,180 question about banking security 758 00:50:04,180 --> 00:50:08,860 this beeing Windows XP, I missed the part of code signing 759 00:50:08,860 --> 00:50:12,260 and verified publishers and such 760 00:50:12,260 --> 00:50:17,070 do banks employ these security measures or not? 761 00:50:17,900 --> 00:50:19,860 they do have security measures 762 00:50:19,860 --> 00:50:25,470 but they're only implemented when the XP is running 763 00:50:25,470 --> 00:50:28,890 so they have whitelisting for applications 764 00:50:28,890 --> 00:50:31,110 they have monitoring for the process 765 00:50:31,110 --> 00:50:33,300 and they have an anti-virus 766 00:50:33,300 --> 00:50:34,540 and of course something like that 767 00:50:34,540 --> 00:50:37,870 but in essence everyone can dump their own software on it and run it 768 00:50:37,870 --> 00:50:43,220 there is no whitelist for signatures or publishers, right? 769 00:50:43,220 --> 00:50:44,580 there is a whitelist 770 00:50:44,580 --> 00:50:49,940 actually there is, but that was the point why they did that 771 00:50:49,940 --> 00:50:52,500 via bootable USB stick 772 00:50:52,500 --> 00:50:58,600 because they wrote this DLL just within the system folder 773 00:50:58,600 --> 00:51:02,140 and they have a whitelist for applications, but not for the DLLs 774 00:51:02,140 --> 00:51:05,100 which these applications are using 775 00:51:05,100 --> 00:51:10,820 I mean, it goes without saying that you can take measures to make the ATMs more secure 776 00:51:10,820 --> 00:51:12,660 because this is kind of a trivial attack 777 00:51:12,660 --> 00:51:14,700 and as you said, everybody could do that 778 00:51:14,700 --> 00:51:16,820 and that's kind of the reason why we're giving this talk 779 00:51:16,820 --> 00:51:21,350 it's no use in keeping vulnerabilites secret 780 00:51:21,350 --> 00:51:24,220 they should be like talked about openly 781 00:51:24,220 --> 00:51:27,260 and then people can go and fix their problems, right 782 00:51:27,260 --> 00:51:28,300 thank you 783 00:51:30,090 --> 00:51:36,220 do we have a question from IRC or the community out there? 784 00:51:37,010 --> 00:51:39,660 yes there was one question coming from IRC 785 00:51:39,660 --> 00:51:46,200 which was: how to get on the USB printer port to reverse that machine? 786 00:51:48,100 --> 00:51:50,200 can you repeat the question please? 787 00:51:50,200 --> 00:51:54,540 how to get on the USB port or printer port to reverse that machine? 788 00:51:57,700 --> 00:52:01,820 this was just via cutting a hole into the chassis 789 00:52:01,820 --> 00:52:03,620 so this is just a... 790 00:52:03,620 --> 00:52:05,700 this is no metal, this is not a safe 791 00:52:05,700 --> 00:52:08,180 so this is just a plastic 792 00:52:08,180 --> 00:52:10,200 and there you can just cut a hole in it 793 00:52:10,200 --> 00:52:13,580 and then you can actually access the USB port 794 00:52:13,580 --> 00:52:18,300 I mean, they physically damaged the ATM to be able to access the USB port 795 00:52:18,300 --> 00:52:21,860 and then they had to cut the network connection 796 00:52:21,860 --> 00:52:23,659 and that triggered a reboot 797 00:52:23,659 --> 00:52:25,980 so it's really a trivial attack 798 00:52:25,980 --> 00:52:27,300 not that hard 799 00:52:28,880 --> 00:52:30,260 okay number 4 please 800 00:52:30,880 --> 00:52:32,340 yes 801 00:52:32,340 --> 00:52:33,900 two part question 802 00:52:33,900 --> 00:52:38,860 you would think that banking and money would be a high priority thing to secure 803 00:52:38,860 --> 00:52:41,260 why are they using Windows XP? 804 00:52:41,260 --> 00:52:43,180 and the second one is 805 00:52:43,180 --> 00:52:46,660 *applause* 806 00:52:46,660 --> 00:52:48,300 second one is 807 00:52:48,300 --> 00:52:51,860 if there was a time-frame of I think it was three days between the two attacks 808 00:52:51,860 --> 00:52:55,200 why don't they realize, there is hole cut into their ATM and just... 809 00:52:55,200 --> 00:52:56,660 change it out? 810 00:52:56,660 --> 00:52:59,540 *applause* 811 00:52:59,540 --> 00:53:01,420 there is a... 812 00:53:01,420 --> 00:53:04,700 that depends on the USB port that they used 813 00:53:04,700 --> 00:53:06,380 there is one on the back, so you don't see it 814 00:53:06,380 --> 00:53:08,100 and the other is just... 815 00:53:08,100 --> 00:53:17,100 you can cut that very exact and then they just repaired it afterwards 816 00:53:17,100 --> 00:53:22,850 they just fixed it 817 00:53:22,850 --> 00:53:24,700 and for the first question 818 00:53:24,700 --> 00:53:30,700 the problem in the main cases is that there are hundreds of thousands of teller machines 819 00:53:30,700 --> 00:53:33,539 for each bank 820 00:53:33,539 --> 00:53:36,140 and that's just the problem 821 00:53:36,140 --> 00:53:38,300 they are of course starting to renew that 822 00:53:38,300 --> 00:53:43,180 but when they are at the end doing that 823 00:53:43,180 --> 00:53:48,660 Windows has already realeased two newer versions of operating systems 824 00:53:48,660 --> 00:53:51,860 and that's one part of it 825 00:53:51,860 --> 00:53:58,200 and the other thing, if we had Windows 7 here it wouldn't change a thing 826 00:53:58,200 --> 00:54:02,730 I mean, that's probably a question for the banks that we can't really answer 827 00:54:02,730 --> 00:54:06,600 but as long as they're convered by insurances 828 00:54:06,600 --> 00:54:08,140 they don't really have to care 829 00:54:08,140 --> 00:54:09,940 which is of course kind of short sighted 830 00:54:09,940 --> 00:54:14,370 but maybe thats how it works 831 00:54:15,100 --> 00:54:20,300 okay and now the last question from number 1 832 00:54:20,300 --> 00:54:25,500 hi there, I was just curious about this particular ATM model 833 00:54:25,500 --> 00:54:32,380 if we're framing this picture of this is let's say the state of security and ATM technology 834 00:54:32,380 --> 00:54:37,900 or if it's just let's say an example for how to not build an ATM 835 00:54:37,900 --> 00:54:40,740 I mean are these bad guys simply the first who found out 836 00:54:40,740 --> 00:54:43,460 well it's basically that simple 837 00:54:43,460 --> 00:54:48,220 or is it just let's say a really bad model, they have exploiting? 838 00:54:50,650 --> 00:54:54,200 that all depends on the original cash client 839 00:54:54,200 --> 00:55:00,340 so the teller machines are all the same, but every bank has an own cash client 840 00:55:00,340 --> 00:55:07,260 it's an own software which is really doing the cashing out 841 00:55:07,260 --> 00:55:09,180 and they're all different 842 00:55:09,180 --> 00:55:12,618 and you have to develop the malware exactly for just one cash client 843 00:55:12,618 --> 00:55:16,380 because it won't work on others 844 00:55:16,380 --> 00:55:18,140 I mean, sorry 845 00:55:18,940 --> 00:55:21,740 I mean also speaking about this physical security 846 00:55:21,740 --> 00:55:24,100 I mean, having an easy accessible USB port 847 00:55:24,100 --> 00:55:29,860 and booting USB images without any additional security measure 848 00:55:29,860 --> 00:55:32,140 I mean, is this state of the art? 849 00:55:33,410 --> 00:55:34,780 no, it's not 850 00:55:34,780 --> 00:55:36,580 actually this has been fixed 851 00:55:36,580 --> 00:55:38,900 because there is an whole disk encryption in place now 852 00:55:38,900 --> 00:55:42,460 that just prevents this way of attack 853 00:55:42,460 --> 00:55:49,980 but yeah, it's not at all teller machine currently implemented 854 00:55:49,980 --> 00:55:52,940 so yes, it's kind of state of the art 855 00:55:52,940 --> 00:55:56,100 yeah, great, thank you 856 00:55:56,100 --> 00:55:58,260 okay then now 857 00:55:58,260 --> 00:56:04,260 thank you to our security researchers 858 00:56:04,260 --> 00:56:07,100 give them a great and warm applause, please 859 00:56:07,100 --> 00:56:10,163 thanks for coming, thank you 860 00:56:10,163 --> 00:56:18,762 subtitles created by c3subtitles.de